revert my last changes back to Alex's version of ObpCaptureObjectAttributes as I'm being an incompetent ass. This will introduce several vulnerabilities and bugs again.

svn path=/trunk/; revision=17217
This commit is contained in:
Thomas Bluemel 2005-08-08 16:58:30 +00:00
parent 4280eeb5a3
commit 3ed0977d46
7 changed files with 152 additions and 326 deletions

View file

@ -192,19 +192,20 @@ NtCreateKey(OUT PHANDLE KeyHandle,
PWSTR Start;
UNICODE_STRING ObjectName;
OBJECT_CREATE_INFORMATION ObjectCreateInfo;
KPROCESSOR_MODE PreviousMode;
unsigned i;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
DPRINT("NtCreateKey (Name %wZ KeyHandle 0x%p Root 0x%p)\n",
ObjectAttributes->ObjectName,
KeyHandle,
ObjectAttributes->RootDirectory);
/* Capture all the info */
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(ObjectAttributes,
PreviousMode,
PagedPool,
FALSE,
KeGetPreviousMode(),
CmiKeyType,
&ObjectCreateInfo,
&ObjectName);
if (!NT_SUCCESS(Status))
@ -218,10 +219,8 @@ NtCreateKey(OUT PHANDLE KeyHandle,
(PVOID*)&Object,
&RemainingPath,
CmiKeyType);
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
&ObjectName,
PreviousMode,
FALSE);
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
if (!NT_SUCCESS(Status))
{
DPRINT("CmpFindObject failed, Status: 0x%x\n", Status);
@ -1170,8 +1169,7 @@ NtOpenKey(OUT PHANDLE KeyHandle,
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(ObjectAttributes,
PreviousMode,
PagedPool,
FALSE,
CmiKeyType,
&ObjectCreateInfo,
&ObjectName);
if (!NT_SUCCESS(Status))
@ -1187,10 +1185,8 @@ NtOpenKey(OUT PHANDLE KeyHandle,
(PVOID*)&Object,
&RemainingPath,
CmiKeyType);
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
&ObjectName,
PreviousMode,
FALSE);
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
if (!NT_SUCCESS(Status))
{
DPRINT("CmpFindObject() returned 0x%08lx\n", Status);

View file

@ -705,8 +705,7 @@ CmiConnectHive(IN POBJECT_ATTRIBUTES KeyObjectAttributes,
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(KeyObjectAttributes,
KernelMode,
PagedPool,
FALSE,
CmiKeyType,
&ObjectCreateInfo,
&ObjectName);
if (!NT_SUCCESS(Status))
@ -720,10 +719,8 @@ CmiConnectHive(IN POBJECT_ATTRIBUTES KeyObjectAttributes,
(PVOID*)&ParentKey,
&RemainingPath,
CmiKeyType);
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
&ObjectName,
KernelMode,
FALSE);
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
if (!NT_SUCCESS(Status))
{
return Status;

View file

@ -173,6 +173,14 @@ ObFastDereferenceObject(IN PEX_FAST_REF FastRef,
/* Secure object information functions */
typedef struct _CAPTURED_OBJECT_ATTRIBUTES
{
HANDLE RootDirectory;
ULONG Attributes;
PSECURITY_DESCRIPTOR SecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} CAPTURED_OBJECT_ATTRIBUTES, *PCAPTURED_OBJECT_ATTRIBUTES;
NTSTATUS
STDCALL
ObpCaptureObjectName(IN PUNICODE_STRING CapturedName,
@ -181,19 +189,16 @@ ObpCaptureObjectName(IN PUNICODE_STRING CapturedName,
NTSTATUS
STDCALL
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes,
IN KPROCESSOR_MODE AccessMode,
IN POOL_TYPE PoolType,
IN BOOLEAN CaptureIfKernel,
OUT POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
OUT PUNICODE_STRING ObjectName OPTIONAL);
IN POBJECT_TYPE ObjectType,
IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
OUT PUNICODE_STRING ObjectName);
VOID
STDCALL
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
IN PUNICODE_STRING ObjectName OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN BOOLEAN CaptureIfKernel);
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo);
/* object information classes */
#define ICIF_QUERY 0x1

View file

@ -410,7 +410,7 @@ NtConnectPort (PHANDLE UnsafeConnectedPortHandle,
NULL,
PORT_ALL_ACCESS, /* DesiredAccess */
LpcPortObjectType,
PreviousMode,
UserMode,
NULL,
(PVOID*)&NamedPort);
if (!NT_SUCCESS(Status))
@ -430,7 +430,7 @@ NtConnectPort (PHANDLE UnsafeConnectedPortHandle,
Status = ObReferenceObjectByHandle(WriteMap.SectionHandle,
SECTION_MAP_READ | SECTION_MAP_WRITE,
MmSectionObjectType,
PreviousMode,
UserMode,
(PVOID*)&SectionObject,
NULL);
if (!NT_SUCCESS(Status))

View file

@ -955,7 +955,7 @@ ObInsertObject(IN PVOID Object,
/* First try to find the Object */
if (ObjectNameInfo && ObjectNameInfo->Name.Buffer)
{
DPRINT("Object has a name. Trying to find it: \"%wZ\".\n", &ObjectNameInfo->Name);
DPRINT("Object has a name. Trying to find it: %wZ.\n", &ObjectNameInfo->Name);
Status = ObFindObject(ObjectCreateInfo,
&ObjectNameInfo->Name,
&FoundObject,
@ -1132,10 +1132,7 @@ ObInsertObject(IN PVOID Object,
/* We can delete the Create Info now */
Header->ObjectCreateInfo = NULL;
ObpReleaseCapturedAttributes(ObjectCreateInfo,
NULL,
ObjectCreateInfo->ProbeMode,
FALSE);
ObpReleaseCapturedAttributes(ObjectCreateInfo);
ExFreePool(ObjectCreateInfo);
DPRINT("Status %x\n", Status);

View file

@ -71,34 +71,19 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
PAGED_CODE();
/* capture the ObjectPath */
Status = RtlCaptureUnicodeString(&ObjectName,
AccessMode,
NonPagedPool, /* FIXME */
FALSE,
ObjectPath);
if (!NT_SUCCESS(Status))
{
DPRINT("RtlCaptureUnicodeString() failed (Status %lx)\n", Status);
return Status;
}
InitializeObjectAttributes(&ObjectAttributes,
&ObjectName,
ObjectPath,
Attributes | OBJ_OPENIF,
NULL,
NULL);
/* "Capture" all the info, it doesn't make sense to capture from the kernel
stack as the information should be safe anyway...just do a raw copy of the
data into the OBJECT_CREATE_INFORMATION structure */
/* Capture all the info */
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(&ObjectAttributes,
KernelMode, /* raw copy! */
NonPagedPool,
FALSE,
AccessMode,
ObjectType,
&ObjectCreateInfo,
NULL);
&ObjectName);
if (!NT_SUCCESS(Status))
{
DPRINT("ObpCaptureObjectAttributes() failed (Status %lx)\n", Status);
@ -111,18 +96,8 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
&RemainingPath,
ObjectType);
/* we don't need to release the "captured" object attributes! Nothing was allocated! */
#if 0
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
NULL,
AccessMode,
FALSE);
#endif
/* free the captured ObjectPath if needed */
RtlReleaseCapturedUnicodeString(&ObjectName,
AccessMode,
FALSE);
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
if (!NT_SUCCESS(Status))
{
@ -194,8 +169,7 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes,
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(ObjectAttributes,
AccessMode,
PagedPool,
FALSE,
ObjectType,
&ObjectCreateInfo,
&ObjectName);
if (!NT_SUCCESS(Status))
@ -209,10 +183,8 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes,
&Object,
&RemainingPath,
ObjectType);
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
&ObjectName,
AccessMode,
FALSE);
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
if (!NT_SUCCESS(Status))
{
DPRINT("ObFindObject() failed (Status %lx)\n", Status);

View file

@ -110,296 +110,161 @@ ObpCaptureObjectName(IN OUT PUNICODE_STRING CapturedName,
NTSTATUS
STDCALL
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes,
IN KPROCESSOR_MODE AccessMode,
IN POOL_TYPE PoolType,
IN BOOLEAN CaptureIfKernel,
OUT POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
OUT PUNICODE_STRING ObjectName OPTIONAL)
IN POBJECT_TYPE ObjectType,
IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
OUT PUNICODE_STRING ObjectName)
{
OBJECT_ATTRIBUTES AttributesCopy;
NTSTATUS Status = STATUS_SUCCESS;
PSECURITY_DESCRIPTOR SecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
PUNICODE_STRING LocalObjectName = NULL;
/* at least one output parameter must be != NULL! */
ASSERT(CapturedObjectAttributes != NULL || ObjectName != NULL);
/* Zero out the Capture Data */
DPRINT("ObpCaptureObjectAttributes\n");
RtlZeroMemory(ObjectCreateInfo, sizeof(OBJECT_CREATE_INFORMATION));
if (ObjectAttributes == NULL)
/* Check if we got Oba */
if (ObjectAttributes)
{
/* we're going to return STATUS_SUCCESS! */
goto failbasiccleanup;
}
if (AccessMode != KernelMode)
{
DPRINT("Probing OBA\n");
_SEH_TRY
{
/* FIXME: SMSS SENDS BULLSHIT. */
#if 0
ProbeForRead(ObjectAttributes,
sizeof(ObjectAttributes),
sizeof(ULONG));
/* make a copy on the stack */
AttributesCopy = *ObjectAttributes;
#endif
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
/* Validate the Size */
DPRINT("Validating OBA\n");
if (ObjectAttributes->Length != sizeof(OBJECT_ATTRIBUTES))
{
Status = STATUS_INVALID_PARAMETER;
}
/* Fail if SEH or Size Validation failed */
if(!NT_SUCCESS(Status))
{
DPRINT1("ObpCaptureObjectAttributes failed to probe object attributes 0x%p\n", ObjectAttributes);
goto failbasiccleanup;
}
}
else if (!CaptureIfKernel)
{
if (ObjectAttributes->Length == sizeof(OBJECT_ATTRIBUTES))
{
if (ObjectName != NULL)
{
/* we don't have to capture any memory, the caller considers the passed data
as valid */
if (ObjectAttributes->ObjectName != NULL)
{
*ObjectName = *ObjectAttributes->ObjectName;
}
else
{
ObjectName->Length = ObjectName->MaximumLength = 0;
ObjectName->Buffer = NULL;
}
}
if (CapturedObjectAttributes != NULL)
{
CapturedObjectAttributes->RootDirectory = ObjectAttributes->RootDirectory;
CapturedObjectAttributes->Attributes = ObjectAttributes->Attributes;
CapturedObjectAttributes->SecurityDescriptor = ObjectAttributes->SecurityDescriptor;
CapturedObjectAttributes->SecurityDescriptorCharge = 0; /* FIXME */
CapturedObjectAttributes->ProbeMode = AccessMode;
DPRINT1("ObpCaptureObjectAttributes failed to probe object attributes\n");
goto fail;
}
return STATUS_SUCCESS;
}
else
{
Status = STATUS_INVALID_PARAMETER;
goto failbasiccleanup;
}
}
else
{
AttributesCopy = *ObjectAttributes;
}
/* Set some Create Info */
DPRINT("Creating OBCI\n");
ObjectCreateInfo->RootDirectory = ObjectAttributes->RootDirectory;
ObjectCreateInfo->Attributes = ObjectAttributes->Attributes;
LocalObjectName = ObjectAttributes->ObjectName;
SecurityDescriptor = ObjectAttributes->SecurityDescriptor;
SecurityQos = ObjectAttributes->SecurityQualityOfService;
/* if Length isn't as expected, bail with an invalid parameter status code so
the caller knows he passed garbage... */
if (AttributesCopy.Length != sizeof(OBJECT_ATTRIBUTES))
/* Validate the SD */
if (SecurityDescriptor)
{
Status = STATUS_INVALID_PARAMETER;
goto failbasiccleanup;
}
if (CapturedObjectAttributes != NULL)
{
CapturedObjectAttributes->RootDirectory = AttributesCopy.RootDirectory;
CapturedObjectAttributes->Attributes = AttributesCopy.Attributes;
if (AttributesCopy.SecurityDescriptor != NULL)
{
Status = SeCaptureSecurityDescriptor(AttributesCopy.SecurityDescriptor,
DPRINT("Probing SD: %x\n", SecurityDescriptor);
Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
AccessMode,
PoolType,
NonPagedPool,
TRUE,
&CapturedObjectAttributes->SecurityDescriptor);
&ObjectCreateInfo->SecurityDescriptor);
if(!NT_SUCCESS(Status))
{
DPRINT1("Unable to capture the security descriptor!!!\n");
goto failbasiccleanup;
}
CapturedObjectAttributes->SecurityDescriptorCharge = 0; /* FIXME */
}
else
{
CapturedObjectAttributes->SecurityDescriptor = NULL;
CapturedObjectAttributes->SecurityDescriptorCharge = 0;
}
ObjectCreateInfo->SecurityDescriptor = NULL;
goto fail;
}
if (ObjectName != NULL)
{
ObjectName->Buffer = NULL;
DPRINT("Probe done\n");
ObjectCreateInfo->SecurityDescriptorCharge = 0; /* FIXME */
ObjectCreateInfo->ProbeMode = AccessMode;
}
if (AttributesCopy.ObjectName != NULL)
/* Validate the QoS */
if (SecurityQos)
{
UNICODE_STRING OriginalCopy = {0};
if (AccessMode != KernelMode)
{
DPRINT("Probing QoS\n");
_SEH_TRY
{
/* probe the ObjectName structure and make a local stack copy of it */
ProbeForRead(AttributesCopy.ObjectName,
sizeof(UNICODE_STRING),
ProbeForRead(SecurityQos,
sizeof(SECURITY_QUALITY_OF_SERVICE),
sizeof(ULONG));
OriginalCopy = *AttributesCopy.ObjectName;
if (OriginalCopy.Length > 0)
{
ProbeForRead(OriginalCopy.Buffer,
OriginalCopy.Length,
sizeof(WCHAR));
}
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (NT_SUCCESS(Status))
{
ObjectName->Length = OriginalCopy.Length;
if(OriginalCopy.Length > 0)
{
ObjectName->MaximumLength = OriginalCopy.Length + sizeof(WCHAR);
ObjectName->Buffer = ExAllocatePool(PoolType,
ObjectName->MaximumLength);
if (ObjectName->Buffer != NULL)
{
_SEH_TRY
{
/* no need to probe OriginalCopy.Buffer again, we already did that
when capturing the UNICODE_STRING structure itself */
RtlCopyMemory(ObjectName->Buffer, OriginalCopy.Buffer, OriginalCopy.Length);
ObjectName->Buffer[OriginalCopy.Length / sizeof(WCHAR)] = L'\0';
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DPRINT1("ObpCaptureObjectAttributes failed to copy the unicode string!\n");
DPRINT1("Unable to capture QoS!!!\n");
goto fail;
}
ObjectCreateInfo->SecurityQualityOfService = *SecurityQos;
ObjectCreateInfo->SecurityQos = &ObjectCreateInfo->SecurityQualityOfService;
}
}
/* Clear Local Object Name */
DPRINT("Clearing name\n");
RtlZeroMemory(ObjectName, sizeof(UNICODE_STRING));
/* Now check if the Object Attributes had an Object Name */
if (LocalObjectName)
{
DPRINT("Name Buffer: %x\n", LocalObjectName->Buffer);
Status = ObpCaptureObjectName(ObjectName,
LocalObjectName,
AccessMode);
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
else if(AttributesCopy.RootDirectory != NULL /* && OriginalCopy.Length == 0 */)
/* He can't have specified a Root Directory */
if (ObjectCreateInfo->RootDirectory)
{
/* if the caller specified a root directory, there must be an object name! */
DPRINT1("Invalid name\n");
Status = STATUS_OBJECT_NAME_INVALID;
}
else
{
ObjectName->Length = ObjectName->MaximumLength = 0;
}
}
#ifdef DBG
else
{
DPRINT1("ObpCaptureObjectAttributes failed to probe the object name UNICODE_STRING structure!\n");
}
#endif
}
else /* AccessMode == KernelMode */
{
OriginalCopy = *AttributesCopy.ObjectName;
ObjectName->Length = OriginalCopy.Length;
if (OriginalCopy.Length > 0)
{
ObjectName->MaximumLength = OriginalCopy.Length + sizeof(WCHAR);
ObjectName->Buffer = ExAllocatePool(PoolType,
ObjectName->MaximumLength);
if (ObjectName->Buffer != NULL)
{
RtlCopyMemory(ObjectName->Buffer, OriginalCopy.Buffer, OriginalCopy.Length);
ObjectName->Buffer[OriginalCopy.Length / sizeof(WCHAR)] = L'\0';
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
else if (AttributesCopy.RootDirectory != NULL /* && OriginalCopy.Length == 0 */)
{
/* if the caller specified a root directory, there must be an object name! */
Status = STATUS_OBJECT_NAME_INVALID;
}
else
{
ObjectName->Length = ObjectName->MaximumLength = 0;
}
}
}
else
{
ObjectName->Length = ObjectName->MaximumLength = 0;
}
}
CapturedObjectAttributes->ProbeMode = AccessMode;
fail:
if (!NT_SUCCESS(Status))
{
if (ObjectName != NULL && ObjectName->Buffer)
{
ExFreePool(ObjectName->Buffer);
}
if (CapturedObjectAttributes != NULL)
{
/* cleanup allocated resources */
SeReleaseSecurityDescriptor(CapturedObjectAttributes->SecurityDescriptor,
AccessMode,
TRUE);
}
failbasiccleanup:
if (ObjectName != NULL)
{
ObjectName->Length = ObjectName->MaximumLength = 0;
ObjectName->Buffer = NULL;
}
if (CapturedObjectAttributes != NULL)
{
RtlZeroMemory(CapturedObjectAttributes, sizeof(OBJECT_CREATE_INFORMATION));
}
DPRINT1("Failed to capture, cleaning up\n");
ObpReleaseCapturedAttributes(ObjectCreateInfo);
}
DPRINT("Return to caller\n");
return Status;
}
VOID
STDCALL
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
IN PUNICODE_STRING ObjectName OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN BOOLEAN CaptureIfKernel)
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo)
{
/* WARNING - You need to pass the same parameters to this function as you passed
to ObpCaptureObjectAttributes() to avoid memory leaks */
if(AccessMode != KernelMode || CaptureIfKernel)
/* Release the SD, it's the only thing we allocated */
if (ObjectCreateInfo->SecurityDescriptor)
{
if(CapturedObjectAttributes != NULL &&
CapturedObjectAttributes->SecurityDescriptor != NULL)
{
ExFreePool(CapturedObjectAttributes->SecurityDescriptor);
#ifdef DBG
RtlZeroMemory(CapturedObjectAttributes, sizeof(OBJECT_CREATE_INFORMATION));
#endif
}
if(ObjectName != NULL &&
ObjectName->Length > 0)
{
ExFreePool(ObjectName->Buffer);
}
SeReleaseSecurityDescriptor(ObjectCreateInfo->SecurityDescriptor,
ObjectCreateInfo->ProbeMode,
TRUE);
ObjectCreateInfo->SecurityDescriptor = NULL;
}
}
@ -483,7 +348,7 @@ ObFindObject(POBJECT_CREATE_INFORMATION ObjectCreateInfo,
ObjectName->Buffer[0] != L'\\')
{
ObDereferenceObject (CurrentObject);
DPRINT1("failed: \"%wZ\"\n", ObjectName);
DPRINT1("failed\n");
return STATUS_UNSUCCESSFUL;
}
@ -930,9 +795,8 @@ ObCreateObject(IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
/* Capture all the info */
DPRINT("Capturing Create Info\n");
Status = ObpCaptureObjectAttributes(ObjectAttributes,
ObjectAttributesAccessMode,
NonPagedPool,
TRUE,
AccessMode,
Type,
ObjectCreateInfo,
&ObjectName);
@ -958,10 +822,8 @@ ObCreateObject(IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
/* Release the Capture Info, we don't need it */
DPRINT1("Allocation failed\n");
ObpReleaseCapturedAttributes(ObjectCreateInfo,
&ObjectName,
ObjectAttributesAccessMode,
TRUE);
ObpReleaseCapturedAttributes(ObjectCreateInfo);
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
}
/* We failed, so release the Buffer */
@ -1115,10 +977,7 @@ ObpDeleteObject(POBJECT_HEADER Header)
}
if (Header->ObjectCreateInfo)
{
ObpReleaseCapturedAttributes(Header->ObjectCreateInfo,
NULL,
Header->ObjectCreateInfo->ProbeMode,
FALSE);
ObpReleaseCapturedAttributes(Header->ObjectCreateInfo);
ExFreePool(Header->ObjectCreateInfo);
}